Bastion ACS#
The ACS synchronizes employees with the local person storage and listens to events, based on which it decides whether or not to open the turnstile. These events are generated in Access by the CreateBastionEvent pipeline.
- Supports Bastion ACS version: 2.1.11.2337, 2.1.13.2347, 2025.1, 0.23.3-17064.
When using Bastion version 2, the
SendToDevicepipeline is required.When using Bastion version 3, the
LunaEventListener + SendToLunapipeline is not required.
Supported integration options for Bastion ACS#
The face recognition device generates an event, Access passes the event to LP5, LP5 processes the event and returns the result to Access for further processing.
Transfer of user data from the ACS to LP5 occurs using two mechanisms:
- replication - the mechanism for the initial transfer of user data;
- synchronization - the mechanism for periodic transfer of user data when the composition/data of users changes.
For the synchronization/replication settings, see the service settings.
Each integration with LP5 (Table 36) uses the Luna service.
If the terminal does not have data output facilities (e.g., a screen), the SendToDevice pipeline is not required.
Table 36. LP5 integration options
Each integration with CBS (Table 37) uses the CBS service.
Table 37. CBS integration options
| Service | Device | Pipeline |
|---|---|---|
| CbsMts + Bastion | Beward | MatchByPhoto + SendToDevice + CreateBastionEvent |
| Dahua | MatchByPhoto + CreateBastionEvent | |
| HikvisionCamera | MatchByPhoto + CreateBastionEvent | |
| LunaFast4A1 | MatchByPhoto + SendToDevice + CreateBastionEvent | |
| UniUbi | MatchByPhoto + SendToDevice + CreateBastionEvent |
Standard integration using Bastion#
Bastion ACS software integrations with biometric systems are implemented to ensure the passage of recognized persons through a turnstile/door with a magnetic lock.
Bastion integration scheme for the passage of recognized faces through a turnstile/door with a magnetic lock. Standard Access components (Figure 53) and (Table 38) are used when integrating with Bastion.
Table 38. Integration Description
| Component | Description |
|---|---|
| 1f | |
| Person | A person wishing to pass through a passage point. |
| Passage point | A set of components used to control human access. More than one passage point can be connected, limited by the ACS license. A passage point can be used for both entry and exit. Each direction uses its own reader and video data source. |
| Video data source | A device for extracting a frame of a person's face. Can be either a biometric terminal (LUNA FAST 4A1 and others) or a camera connected via FaceStream. |
| Device ... | An Access component for receiving data from a video data source. Selected based on the device used. |
| Controller | Passage point control board. |
| Turnstile | A barrier device for access control |
| Bastion ACS | Central software for working with Bastion. Stores employee data and makes decisions on access provision. |
| Bastion Service | Access component for processing information from ACS. |
| Add-on for 2f | |
| Reader | Device for receiving access card data. |
| Working with LP5 and CBS | |
| MatchByPhoto Pipeline | Access Component for interacting with BS |
| CreateBastionEvent Pipeline | Access Component for listening to event queues in Luna and generating events in Access |
| SendToDevice Pipeline | Access Component for sending a signal to open a relay to a device and displaying text on the screen. Required only when integrating Bastion 2 ACS |
Setting up the Bastion 3 ACS software#
1․ Open the Bastion-3 ACS software — Control Panel.
2․ Go to the Drivers → Face Driver → "Face" Driver Configurator → General Settings section (Figure 54)
3․ Set the ONVIF port, login, and password.
4․ Go to the "External System Servers" section and add a new server by clicking "+".
5․ In the new server settings, enter the Access address in the "host:port" format in the "person profile management service" and "event service" address fields, set the login and password for both services (Figure 55)
6․ Go to the "Physical access points" section and add a new access point by clicking "+".
7․ Select the Door N R{N} access point.
8․ In the "Description" field, enter the name of the camera that works with this access point.
The access point description must match the device name in Access.
9․ Select the "Access in identification mode" operating mode.
When changing the access point mode in the ACS, you must restart the Bastion service in Access (Figure 56)
10․ Save the changes by clicking the floppy disk icon.
11․ Configure pass management: Bastion 3 → Access Bureau.
12․ Create a new pass request. Go to Requests → Click "+" on the toolbar (Figure 57).
13․ Fill in the required fields and click OK (Figure 58)
14․ Issue passes. Go to Requests → Select the target request → Click "Issue pass" on the toolbar (Figure 59)
15․ Check "Issue a new access card" → Generate a random code → Issue (Figure 60)
Issued passes are displayed on the "Issue" tab.
16․ Editing a pass. Go to the Issued tab → Required pass → Pass properties.
Setting up a two-factor Bastion access point#
1․ Open the Bastion-3 ACS software — Control Panel.
2․ Go to the Drivers → Face Driver → "Face" Driver Configurator → Physical Passage Points section and select/add a passage point.
3․ In the "Description" field, enter the name of the camera that works with this passage point.
The passage point description must match the device name in Access.
4․ Select the "Access in two-factor authentication mode" operating mode.
When changing the mode at the passage point in the ACS, you must restart the Bastion service in Access.
5․ Save the changes by clicking the floppy disk icon (Figure 61)
6․ Open the Control Panel and go to the Drivers → Personnel settings profiles section (Figure 62)
7․ Select a profile → Permissions and enable the "Access with confirmation" function.
8․ Save the changes by clicking the floppy disk icon (Figure 63)
9․ In the Access UI, go to the "Services" tab and click the Bastion component restart button. In the Bastion component info, check the "enabled_2fa" setting of the access point that you edited in the previous step.
Methods of interaction with Bastion#
Access acts as a server and a client (Table 39).
ONVIF methods are sent to Access at the POST /vl-access/webhook/service/onvif/{component_id} endpoint.
Table 39. Bastion methods
| Task | Method | Description |
|---|---|---|
| Get access points | POST /onvif/ accesscontrol | Request to ACS. Getting access point (controller) IDs for manual matching of cameras/terminals and access points |
| Get a list of ONVIF services | POST /onvif/ device_service | Getting a list of component_id ONVIF Access services for connection |
| Create user | CreateCredential | ONVIF method |
| Update User | ModifyCredential | ONVIF Method |
| Delete User | DeleteCredential | ONVIF Method |
| Create Subscription | CreatePullPoint Subscription | ONVIF Method. Subscribe to Events. |
| Get Detection Events | PullMessages | Get employee detection events. The request is sent every 10 seconds and waits 10 seconds until a frame appears. |
Bastion Interaction Process Diagrams#
Connecting the Bastion service and replicating employees#
Sequence diagram (Figure 64).
Connecting the service
1․ The user added the Bastion service to Access. 2․ Access sends a request to the ACS to obtain access points. The obtained access points are displayed in the info field of the service properties. The request is used to check the availability of the ACS. 3․ The ACS returns access points. 4․ The ACS sends a request to Access to obtain a list of Access services that support the ONVIF protocol. 5․ Access returns the component_id of the ONVIF services.
Employee replication
6․ ACS sends a request to Access to get a list of all persons. 7․ Access returns a list of persons. 8․ ACS sends a POST /vl-access/webhook/service/onvif/{component_id} CreateCredential (or DeleteCredential/ModifyCredential) request to Access to work with employees in the Access storage. 9․ Access sends a request with employee photos to the BS to extract descriptor_id (face_id). 10․ BS returns descriptor_id. 11․ Access saves information on each employee to local storage.
Events with 1 factor
12․ ACS sends a request to Access to open a subscription to receive events (the best shots of a person at the terminal). 13․ The ACS sends a POST /vl-access/webhook/service/onvif/{component_id} PullMessages request every 10 seconds to wait for a pass event. 14․ Access returns the pass event to the ACS. 15․ The ACS makes a decision to open the terminal.
Processing Bastion events with 2 factors#
Sequence diagram (Figure 65).
1․ Access sends a PullMessages request to the ACS every 10 seconds to wait for a passage event. 2․ Access receives the best photo of the employee at the terminal. 3․ Access sends a photo of the employee to the Biometric System. 4․ The BS compares the photos from the terminal and the one saved in the database. 5․ The BS returns a decision to grant access to Access. 6․ Access returns a passage event to the ACS. 7․ The ACS decides to open the terminal.